启动错误问题排查
1、启动apache服务错误提示。
Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot
load /etc/httpd/modules/libphp5.so into server: libcrypto.so.6: cannot enable executable stack as shared object requires: Permission denied
Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot
load /etc/httpd/modules/libphp5.so into server: libcrypto.so.6: cannot enable executable stack as shared object requires: Permission denied
通过以上错误判断应为selinux问题。
2、尝试关闭selinux,启动apache。
/usr/sbin/setenforce 0
/etc/init.d/httpd start
Starting httpd: [Wed Apr 24 12:37:39 2019] [ OK ]
启动成功了。确定是selinux问题。为系统安全,不想关闭selinux改如何解决呢?
解决selinux问题:
1、查看audit.log日志。
/usr/sbin/setenforce 1
less /var/logs/audit/audit.log
type=AVC msg=audit(1556086804.050:571845): avc: denied { execstack } for pid=17397 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontex
t=root:system_r:httpd_t:s0 tclass=processtype=SYSCALL msg=audit(1556086804.050:571845): arch=c000003e syscall=10 success=no exit=-13 a0=7fff31feb000 a1=1000 a2=1000007 a3=4 items=0
ppid=17394 pid=17397 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=187 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
2、执行execstack处理。
最简单的解决办法就是执行execstack:
execstack --clear-execstack /lib/libcrypto.so.6
execstack --clear-execstack /lib/libcrypto.so.6
execstack 部分参数如下:
-s --set-execstack
Mark binary or shared library as requiring executable stack.
-c --clear-execstack
Mark binary or shared library as not requiring executable stack.
-q --query
Query executable stack marking of binaries and shared libraries. For each file it prints either - when executable stack
is not required, X when executable stack is required or ? when it is unknown whether the object requires or doesn’t
require executable stack (the marking is missing).
通过-q参数查看指定文件是否需要executable stack,如果输出的开头是"-",表示executable stack is not required,如果是“X”,表示executable stack is required,如果是“?”,表示未知。
:/root> execstack -q /lib/libcrypto.so.6
? /lib/libcrypto.so.6
:/root> execstack -c /lib/libcrypto.so.6
:/root> execstack -q /lib/libcrypto.so.6
- /lib/libcrypto.so.6
:/root>
3、根据日志生成PP文件。
grep httpd /var/log/audit/audit.log | audit2allow -M httpdfixlocal
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i httpdfixlocal.pp
4、执行PP文件。
/usr/sbin/semodule -i httpdfixlocal.pp
5、启动httpd,可正常启动。
注意:setsebool,semodule等命令需安装如下工具包。
yum install policycoreutils